Beispiel #1
0
 public virtual Task <SecurityToken> ReadTokenCoreAsync(XmlDictionaryReader reader, SecurityTokenResolver tokenResolver)
 {
     return(Task.FromResult(ReadTokenCore(reader, tokenResolver)));
 }
        public virtual void ReadXml(XmlDictionaryReader reader, SamlSerializer samlSerializer, SecurityTokenSerializer keyInfoSerializer, SecurityTokenResolver outOfBandTokenResolver)
        {
            if (reader == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("reader"));
            }
            if (samlSerializer == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("samlSerializer"));
            }
            SamlDictionary samlDictionary = samlSerializer.DictionaryManager.SamlDictionary;

            reader.MoveToContent();
            reader.Read();
            while (reader.IsStartElement())
            {
                if (!reader.IsStartElement(samlDictionary.AssertionIdReference, samlDictionary.Namespace))
                {
                    if (!reader.IsStartElement(samlDictionary.Assertion, samlDictionary.Namespace))
                    {
                        throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(System.IdentityModel.SR.GetString("SAMLBadSchema", new object[] { samlDictionary.Evidence.Value })));
                    }
                    SamlAssertion item = new SamlAssertion();
                    item.ReadXml(reader, samlSerializer, keyInfoSerializer, outOfBandTokenResolver);
                    this.assertions.Add(item);
                }
                else
                {
                    reader.MoveToContent();
                    this.assertionIdReferences.Add(reader.ReadString());
                    reader.ReadEndElement();
                    continue;
                }
            }
            if ((this.assertionIdReferences.Count == 0) && (this.assertions.Count == 0))
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(System.IdentityModel.SR.GetString("SAMLEvidenceShouldHaveOneAssertionOnRead")));
            }
            reader.MoveToContent();
            reader.ReadEndElement();
        }
 public override SecurityToken ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver)
 {
     return(base.ReadToken(reader, tokenResolver));
 }
Beispiel #4
0
        /// <summary>
        /// Initializes the object with a UA identity token
        /// </summary>
        private void Initialize(IssuedIdentityToken token, SecurityTokenSerializer serializer, SecurityTokenResolver resolver)
        {
            if (token == null)
            {
                throw new ArgumentNullException("token");
            }

            string text = new UTF8Encoding().GetString(token.DecryptedTokenData);

            XmlDocument document = new XmlDocument();

            document.InnerXml = text.Trim();
            XmlNodeReader reader = new XmlNodeReader(document.DocumentElement);

            try
            {
                if (document.DocumentElement.NamespaceURI == "urn:oasis:names:tc:SAML:1.0:assertion")
                {
                    SecurityToken samlToken = new SamlSerializer().ReadToken(reader, serializer, resolver);
                    Initialize(samlToken);
                }
                else
                {
                    SecurityToken securityToken = serializer.ReadToken(reader, resolver);
                    Initialize(securityToken);
                }
            }
            finally
            {
                reader.Close();
            }
        }
 public abstract void ReadXml(XmlDictionaryReader reader, SamlSerializer samlSerializer, SecurityTokenSerializer keyInfoSerializer, SecurityTokenResolver outOfBandTokenResolver);
Beispiel #6
0
 // RSTR specific method
 public abstract SecurityToken GetEntropy(RequestSecurityTokenResponse rstr, SecurityTokenResolver resolver);
Beispiel #7
0
        public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(
            SecurityTokenRequirement requirement,
            out SecurityTokenResolver outOfBandTokenResolver)
        {
            outOfBandTokenResolver = null;
            if (requirement.TokenType == SecurityTokenTypes.UserName)
            {
                return(CreateUserNameAuthenticator(requirement));
            }
            if (requirement.TokenType == SecurityTokenTypes.X509Certificate)
            {
                return(CreateX509Authenticator(requirement));
            }
            if (requirement.TokenType == SecurityTokenTypes.Rsa)
            {
                return(new RsaSecurityTokenAuthenticator());
            }
            if (requirement.TokenType == ServiceModelSecurityTokenTypes.SecureConversation)
            {
                SecurityBindingElement binding;
                if (!requirement.TryGetProperty <SecurityBindingElement> (ReqType.SecurityBindingElementProperty, out binding))
                {
                    throw new ArgumentException("SecurityBindingElement is required in the security token requirement");
                }
                SecureConversationSecurityTokenParameters issuedParams;
                if (!requirement.TryGetProperty <SecureConversationSecurityTokenParameters> (ReqType.IssuedSecurityTokenParametersProperty, out issuedParams))
                {
                    throw new ArgumentException("IssuedSecurityTokenParameters are required in the security token requirement");
                }
                BindingContext issuerBC;
                if (!requirement.TryGetProperty <BindingContext> (ReqType.IssuerBindingContextProperty, out issuerBC))
                {
                    throw new ArgumentException("IssuerBindingContext is required in the security token requirement");
                }
                SecurityTokenVersion secVer;
                if (!requirement.TryGetProperty <SecurityTokenVersion> (ReqType.MessageSecurityVersionProperty, out secVer))
                {
                    throw new ArgumentException("MessageSecurityVersion property (of type SecurityTokenVersion) is required in the security token requirement");
                }

                // FIXME: get parameters from somewhere
                SecurityContextSecurityTokenResolver resolver =
                    new SecurityContextSecurityTokenResolver(0x1000, true);
                outOfBandTokenResolver = resolver;
                SecurityContextSecurityTokenAuthenticator sc =
                    new SecurityContextSecurityTokenAuthenticator();
                return(new SecureConversationSecurityTokenAuthenticator(requirement, sc, resolver));
            }
            if (requirement.TokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego)
            {
                return(CreateSslTokenAuthenticator(requirement));
            }
            if (requirement.TokenType == ServiceModelSecurityTokenTypes.MutualSslnego)
            {
                return(CreateSslTokenAuthenticator(requirement));
            }
            if (requirement.TokenType == ServiceModelSecurityTokenTypes.Spnego)
            {
                return(CreateSpnegoTokenAuthenticator(requirement));
            }
            else
            {
                throw new NotImplementedException("Not implemented token type: " + requirement.TokenType);
            }
        }
 CreateSecurityTokenAuthenticator(SecurityTokenRequirement
                                  tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver)
 {
     return(base.CreateSecurityTokenAuthenticator(tokenRequirement,
                                                  out outOfBandTokenResolver));
 }
 protected override SecurityToken ReadTokenCore(XmlReader reader, SecurityTokenResolver tokenResolver)
 {
     return(new DummySecurityToken());
 }
Beispiel #10
0
 public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver)
 {
     if (tokenRequirement.TokenType == SecurityTokenTypes.UserName)
     {
         outOfBandTokenResolver = null;
         return(new ClaimsTokenAuthenticator());
     }
     else
     {
         return(base.CreateSecurityTokenAuthenticator(tokenRequirement, out outOfBandTokenResolver));
     }
 }
        public virtual void ReadXml(XmlDictionaryReader reader, SamlSerializer samlSerializer, SecurityTokenSerializer keyInfoSerializer, SecurityTokenResolver outOfBandTokenResolver)
        {
            if (reader == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("reader"));
            }
            if (samlSerializer == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("samlSerializer"));
            }
            SamlDictionary samlDictionary = samlSerializer.DictionaryManager.SamlDictionary;

            this.name = reader.GetAttribute(samlDictionary.AttributeName, null);
            if (string.IsNullOrEmpty(this.name))
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(System.IdentityModel.SR.GetString("SAMLAttributeMissingNameAttributeOnRead")));
            }
            this.nameSpace = reader.GetAttribute(samlDictionary.AttributeNamespace, null);
            if (string.IsNullOrEmpty(this.nameSpace))
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(System.IdentityModel.SR.GetString("SAMLAttributeMissingNamespaceAttributeOnRead")));
            }
            this.claimType = string.IsNullOrEmpty(this.nameSpace) ? this.name : (this.nameSpace + "/" + this.name);
            reader.MoveToContent();
            reader.Read();
            while (reader.IsStartElement(samlDictionary.AttributeValue, samlDictionary.Namespace))
            {
                string item = reader.ReadString();
                this.attributeValues.Add(item);
                reader.MoveToContent();
                reader.ReadEndElement();
            }
            if (this.attributeValues.Count == 0)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(System.IdentityModel.SR.GetString("SAMLAttributeShouldHaveOneValue")));
            }
            reader.MoveToContent();
            reader.ReadEndElement();
        }
Beispiel #12
0
        public override System.IdentityModel.Selectors.SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver)
        {
            if (tokenRequirement.TokenType == Constants.UsernameTokenType)
            {
                outOfBandTokenResolver = null;
                return(new SecurityTokenAuthenticator(_serviceCredentials.Validator));
            }

            return(base.CreateSecurityTokenAuthenticator(tokenRequirement, out outOfBandTokenResolver));
        }
Beispiel #13
0
 protected override SecurityToken ReadTokenCore(System.Xml.XmlReader reader, SecurityTokenResolver tokenResolver)
 {
     throw new NotImplementedException();
 }
        public override SecurityTokenAuthenticator CreateTokenAuthenticator(SecurityTokenParameters p, out SecurityTokenResolver resolver)
        {
            resolver = null;
            // This check might be almost extra, though it is
            // needed to check correct signing token existence.
            //
            // Not sure if it is limited to this condition, but
            // Ssl parameters do not support token provider and
            // still do not fail. X509 parameters do fail.
            if (!RecipientParameters.InternalSupportsServerAuthentication)
            {
                return(null);
            }

            SecurityTokenRequirement r = CreateRequirement();

            r.Properties [ReqType.MessageDirectionProperty] = MessageDirection.Input;
            InitializeRequirement(p, r);
            return(SecurityTokenManager.CreateSecurityTokenAuthenticator(r, out resolver));
        }
        SecurityTokenAuthenticator CreateTlsnegoSecurityTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, bool requireClientCertificate, out SecurityTokenResolver sctResolver)
        {
            SecurityBindingElement securityBindingElement = recipientRequirement.SecurityBindingElement;

            if (securityBindingElement == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.TokenAuthenticatorRequiresSecurityBindingElement, recipientRequirement));
            }
            bool isCookieMode = !recipientRequirement.SupportSecurityContextCancellation;
            LocalServiceSecuritySettings localServiceSettings = securityBindingElement.LocalServiceSettings;

            sctResolver = new SecurityContextSecurityTokenResolver(localServiceSettings.MaxCachedCookies, true);

            TlsnegoTokenAuthenticator authenticator = new TlsnegoTokenAuthenticator();

            authenticator.IsClientAnonymous = !requireClientCertificate;
            if (requireClientCertificate)
            {
                authenticator.ClientTokenAuthenticator       = this.CreateTlsnegoClientX509TokenAuthenticator(recipientRequirement);
                authenticator.MapCertificateToWindowsAccount = this.ServiceCredentials.ClientCertificate.Authentication.MapClientCertificateToWindowsAccount;
            }
            authenticator.EncryptStateInServiceToken    = isCookieMode;
            authenticator.IssuedSecurityTokenParameters = recipientRequirement.GetProperty <SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty);
            authenticator.IssuedTokenCache       = (ISecurityContextSecurityTokenCache)sctResolver;
            authenticator.IssuerBindingContext   = recipientRequirement.GetProperty <BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty);
            authenticator.ListenUri              = recipientRequirement.ListenUri;
            authenticator.SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite;
            authenticator.StandardsManager       = SecurityUtils.CreateSecurityStandardsManager(recipientRequirement, this);
            authenticator.SecurityStateEncoder   = parent.SecureConversationAuthentication.SecurityStateEncoder;
            authenticator.KnownTypes             = parent.SecureConversationAuthentication.SecurityContextClaimTypes;
            authenticator.ServerTokenProvider    = CreateTlsnegoServerX509TokenProvider(recipientRequirement);
            // local security quotas
            authenticator.MaximumCachedNegotiationState = localServiceSettings.MaxStatefulNegotiations;
            authenticator.NegotiationTimeout            = localServiceSettings.NegotiationTimeout;
            authenticator.ServiceTokenLifetime          = localServiceSettings.IssuedCookieLifetime;
            authenticator.MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations;
            // if the TLSNEGO is being done in mixed-mode, the nego blobs are from an anonymous client and so there size bound needs to be enforced.
            if (securityBindingElement is TransportSecurityBindingElement)
            {
                authenticator.MaxMessageSize = SecurityUtils.GetMaxNegotiationBufferSize(authenticator.IssuerBindingContext);
            }
            // audit settings
            authenticator.AuditLogLocation                = recipientRequirement.AuditLogLocation;
            authenticator.SuppressAuditFailure            = recipientRequirement.SuppressAuditFailure;
            authenticator.MessageAuthenticationAuditLevel = recipientRequirement.MessageAuthenticationAuditLevel;
            return(authenticator);
        }
Beispiel #16
0
 public SecurityToken ReadToken(XmlReader reader, SecurityTokenResolver resolver)
 {
     CheckReader(reader);
     return(ReadTokenCore(reader, resolver));
 }
        SamlSecurityTokenAuthenticator CreateSamlTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, out SecurityTokenResolver outOfBandTokenResolver)
        {
            if (recipientRequirement == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("recipientRequirement");
            }

            Collection <SecurityToken> outOfBandTokens = new Collection <SecurityToken>();

            if (parent.ServiceCertificate.Certificate != null)
            {
                outOfBandTokens.Add(new X509SecurityToken(parent.ServiceCertificate.Certificate));
            }
            List <SecurityTokenAuthenticator> supportingAuthenticators = new List <SecurityTokenAuthenticator>();

            if ((parent.IssuedTokenAuthentication.KnownCertificates != null) && (parent.IssuedTokenAuthentication.KnownCertificates.Count > 0))
            {
                for (int i = 0; i < parent.IssuedTokenAuthentication.KnownCertificates.Count; ++i)
                {
                    outOfBandTokens.Add(new X509SecurityToken(parent.IssuedTokenAuthentication.KnownCertificates[i]));
                }
            }

            X509CertificateValidator validator = parent.IssuedTokenAuthentication.GetCertificateValidator();

            supportingAuthenticators.Add(new X509SecurityTokenAuthenticator(validator));

            if (parent.IssuedTokenAuthentication.AllowUntrustedRsaIssuers)
            {
                supportingAuthenticators.Add(new RsaSecurityTokenAuthenticator());
            }

            outOfBandTokenResolver = (outOfBandTokens.Count > 0) ? SecurityTokenResolver.CreateDefaultSecurityTokenResolver(new ReadOnlyCollection <SecurityToken>(outOfBandTokens), false) : null;

            SamlSecurityTokenAuthenticator ssta;

            if ((recipientRequirement.SecurityBindingElement == null) || (recipientRequirement.SecurityBindingElement.LocalServiceSettings == null))
            {
                ssta = new SamlSecurityTokenAuthenticator(supportingAuthenticators);
            }
            else
            {
                ssta = new SamlSecurityTokenAuthenticator(supportingAuthenticators, recipientRequirement.SecurityBindingElement.LocalServiceSettings.MaxClockSkew);
            }

            // set audience uri restrictions
            ssta.AudienceUriMode = parent.IssuedTokenAuthentication.AudienceUriMode;
            IList <string> allowedAudienceUris = ssta.AllowedAudienceUris;

            if (parent.IssuedTokenAuthentication.AllowedAudienceUris != null)
            {
                for (int i = 0; i < parent.IssuedTokenAuthentication.AllowedAudienceUris.Count; i++)
                {
                    allowedAudienceUris.Add(parent.IssuedTokenAuthentication.AllowedAudienceUris[i]);
                }
            }

            if (recipientRequirement.ListenUri != null)
            {
                allowedAudienceUris.Add(recipientRequirement.ListenUri.AbsoluteUri);
            }

            return(ssta);
        }
Beispiel #18
0
        protected static SecurityToken ResolveKeyIdentifier(SecurityKeyIdentifier keyIdentifier, SecurityTokenResolver resolver, bool isFromSignature)
        {
            SecurityToken token;

            if (!TryResolveKeyIdentifier(keyIdentifier, resolver, isFromSignature, out token))
            {
                if (isFromSignature)
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(
                                                                                  SR.GetString(SR.UnableToResolveKeyInfoForVerifyingSignature, keyIdentifier, resolver)));
                }
                else
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(
                                                                                  SR.GetString(SR.UnableToResolveKeyInfoForDecryption, keyIdentifier, resolver)));
                }
            }

            return(token);
        }
        public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver)
        {
            if (tokenRequirement == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement");
            }
            string tokenType = tokenRequirement.TokenType;

            outOfBandTokenResolver = null;
            SecurityTokenAuthenticator result = null;

            if (tokenRequirement is InitiatorServiceModelSecurityTokenRequirement)
            {
                // this is the uncorrelated duplex case in which the server is asking for
                // an authenticator to validate its provisioned client certificate
                if (tokenType == SecurityTokenTypes.X509Certificate && tokenRequirement.KeyUsage == SecurityKeyUsage.Exchange)
                {
                    return(new X509SecurityTokenAuthenticator(X509CertificateValidator.None, false));
                }
            }

            RecipientServiceModelSecurityTokenRequirement recipientRequirement = tokenRequirement as RecipientServiceModelSecurityTokenRequirement;

            if (recipientRequirement == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.GetString(SR.SecurityTokenManagerCannotCreateAuthenticatorForRequirement, tokenRequirement)));
            }
            if (tokenType == SecurityTokenTypes.X509Certificate)
            {
                result = CreateClientX509TokenAuthenticator();
            }
            else if (tokenType == SecurityTokenTypes.Kerberos)
            {
                result = new KerberosSecurityTokenAuthenticatorWrapper(
                    new KerberosSecurityTokenAuthenticator(parent.WindowsAuthentication.IncludeWindowsGroups));
            }
            else if (tokenType == SecurityTokenTypes.UserName)
            {
                if (parent.UserNameAuthentication.UserNamePasswordValidationMode == UserNamePasswordValidationMode.Windows)
                {
                    if (parent.UserNameAuthentication.CacheLogonTokens)
                    {
                        result = new WindowsUserNameCachingSecurityTokenAuthenticator(parent.UserNameAuthentication.IncludeWindowsGroups,
                                                                                      parent.UserNameAuthentication.MaxCachedLogonTokens, parent.UserNameAuthentication.CachedLogonTokenLifetime);
                    }
                    else
                    {
                        result = new WindowsUserNameSecurityTokenAuthenticator(parent.UserNameAuthentication.IncludeWindowsGroups);
                    }
                }
                else
                {
                    result = new CustomUserNameSecurityTokenAuthenticator(parent.UserNameAuthentication.GetUserNamePasswordValidator());
                }
            }
            else if (tokenType == SecurityTokenTypes.Rsa)
            {
                result = new RsaSecurityTokenAuthenticator();
            }
            else if (tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego)
            {
                result = CreateTlsnegoSecurityTokenAuthenticator(recipientRequirement, false, out outOfBandTokenResolver);
            }
            else if (tokenType == ServiceModelSecurityTokenTypes.MutualSslnego)
            {
                result = CreateTlsnegoSecurityTokenAuthenticator(recipientRequirement, true, out outOfBandTokenResolver);
            }
            else if (tokenType == ServiceModelSecurityTokenTypes.Spnego)
            {
                result = CreateSpnegoSecurityTokenAuthenticator(recipientRequirement, out outOfBandTokenResolver);
            }
            else if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation)
            {
                result = CreateSecureConversationTokenAuthenticator(recipientRequirement, false, out outOfBandTokenResolver);
            }
            else if ((tokenType == SecurityTokenTypes.Saml) ||
                     (tokenType == SecurityXXX2005Strings.SamlTokenType) ||
                     (tokenType == SecurityJan2004Strings.SamlUri) ||
                     (tokenType == null && IsIssuedSecurityTokenRequirement(recipientRequirement)))
            {
                result = CreateSamlTokenAuthenticator(recipientRequirement, out outOfBandTokenResolver);
            }

            if (result == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.GetString(SR.SecurityTokenManagerCannotCreateAuthenticatorForRequirement, tokenRequirement)));
            }

            return(result);
        }
Beispiel #20
0
 // RSTR specific method
 public abstract GenericXmlSecurityToken GetIssuedToken(RequestSecurityTokenResponse rstr, SecurityTokenResolver resolver, IList <SecurityTokenAuthenticator> allowedAuthenticators, SecurityKeyEntropyMode keyEntropyMode, byte[] requestorEntropy,
                                                        string expectedTokenType, ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies, int defaultKeySize, bool isBearerKeyType);
        protected SecurityTokenAuthenticator CreateSecureConversationTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, bool preserveBootstrapTokens, out SecurityTokenResolver sctResolver)
        {
            SecurityBindingElement securityBindingElement = recipientRequirement.SecurityBindingElement;

            if (securityBindingElement == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.TokenAuthenticatorRequiresSecurityBindingElement, recipientRequirement));
            }
            bool isCookieMode = !recipientRequirement.SupportSecurityContextCancellation;
            LocalServiceSecuritySettings          localServiceSettings = securityBindingElement.LocalServiceSettings;
            IMessageFilterTable <EndpointAddress> endpointFilterTable  = recipientRequirement.GetPropertyOrDefault <IMessageFilterTable <EndpointAddress> >(ServiceModelSecurityTokenRequirement.EndpointFilterTableProperty, null);

            if (!isCookieMode)
            {
                sctResolver = new SecurityContextSecurityTokenResolver(Int32.MaxValue, false);

                // remember this authenticator for future reference
                SecuritySessionSecurityTokenAuthenticator authenticator = new SecuritySessionSecurityTokenAuthenticator();
                authenticator.BootstrapSecurityBindingElement = SecurityUtils.GetIssuerSecurityBindingElement(recipientRequirement);
                authenticator.IssuedSecurityTokenParameters   = recipientRequirement.GetProperty <SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty);
                authenticator.IssuedTokenCache              = (ISecurityContextSecurityTokenCache)sctResolver;
                authenticator.IssuerBindingContext          = recipientRequirement.GetProperty <BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty);
                authenticator.KeyEntropyMode                = securityBindingElement.KeyEntropyMode;
                authenticator.ListenUri                     = recipientRequirement.ListenUri;
                authenticator.SecurityAlgorithmSuite        = recipientRequirement.SecurityAlgorithmSuite;
                authenticator.SessionTokenLifetime          = TimeSpan.MaxValue;
                authenticator.KeyRenewalInterval            = securityBindingElement.LocalServiceSettings.SessionKeyRenewalInterval;
                authenticator.StandardsManager              = SecurityUtils.CreateSecurityStandardsManager(recipientRequirement, this);
                authenticator.EndpointFilterTable           = endpointFilterTable;
                authenticator.MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations;
                authenticator.NegotiationTimeout            = localServiceSettings.NegotiationTimeout;
                authenticator.PreserveBootstrapTokens       = preserveBootstrapTokens;
                return(authenticator);
            }
            else
            {
                sctResolver = new SecurityContextSecurityTokenResolver(localServiceSettings.MaxCachedCookies, true, localServiceSettings.MaxClockSkew);

                AcceleratedTokenAuthenticator authenticator = new AcceleratedTokenAuthenticator();
                authenticator.BootstrapSecurityBindingElement = SecurityUtils.GetIssuerSecurityBindingElement(recipientRequirement);
                authenticator.KeyEntropyMode                = securityBindingElement.KeyEntropyMode;
                authenticator.EncryptStateInServiceToken    = true;
                authenticator.IssuedSecurityTokenParameters = recipientRequirement.GetProperty <SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty);
                authenticator.IssuedTokenCache              = (ISecurityContextSecurityTokenCache)sctResolver;
                authenticator.IssuerBindingContext          = recipientRequirement.GetProperty <BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty);
                authenticator.ListenUri = recipientRequirement.ListenUri;
                authenticator.SecurityAlgorithmSuite  = recipientRequirement.SecurityAlgorithmSuite;
                authenticator.StandardsManager        = SecurityUtils.CreateSecurityStandardsManager(recipientRequirement, this);
                authenticator.SecurityStateEncoder    = parent.SecureConversationAuthentication.SecurityStateEncoder;
                authenticator.KnownTypes              = parent.SecureConversationAuthentication.SecurityContextClaimTypes;
                authenticator.PreserveBootstrapTokens = preserveBootstrapTokens;

                // local security quotas
                authenticator.MaximumCachedNegotiationState = localServiceSettings.MaxStatefulNegotiations;
                authenticator.NegotiationTimeout            = localServiceSettings.NegotiationTimeout;
                authenticator.ServiceTokenLifetime          = localServiceSettings.IssuedCookieLifetime;
                authenticator.MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations;

                // audit settings
                authenticator.AuditLogLocation                = recipientRequirement.AuditLogLocation;
                authenticator.SuppressAuditFailure            = recipientRequirement.SuppressAuditFailure;
                authenticator.MessageAuthenticationAuditLevel = recipientRequirement.MessageAuthenticationAuditLevel;
                authenticator.EndpointFilterTable             = endpointFilterTable;
                return(authenticator);
            }
        }
Beispiel #22
0
 SecurityTokenResolver GetResolver(bool canMatchLocalId, params SecurityToken [] tokens)
 {
     return(SecurityTokenResolver.CreateDefaultSecurityTokenResolver(new ReadOnlyCollection <SecurityToken> (tokens), canMatchLocalId));
 }
        public override void ReadXml(XmlDictionaryReader reader, SamlSerializer samlSerializer, SecurityTokenSerializer keyInfoSerializer, SecurityTokenResolver outOfBandTokenResolver)
        {
            if (reader == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("reader"));
            }

            if (samlSerializer == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("samlSerializer"));
            }

#pragma warning suppress 56506 // samlSerializer.DictionaryManager is never null.
            SamlDictionary dictionary = samlSerializer.DictionaryManager.SamlDictionary;

            reader.MoveToContent();
            reader.Read();
            while (reader.IsStartElement())
            {
                if (reader.IsStartElement(dictionary.Audience, dictionary.Namespace))
                {
                    reader.MoveToContent();
                    string audience = reader.ReadString();
                    if (string.IsNullOrEmpty(audience))
                    {
                        throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.SAMLAudienceRestrictionInvalidAudienceValueOnRead)));
                    }

                    this.audiences.Add(new Uri(audience));
                    reader.MoveToContent();
                    reader.ReadEndElement();
                }
                else
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.SAMLBadSchema, dictionary.AudienceRestrictionCondition.Value)));
                }
            }

            if (this.audiences.Count == 0)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.SAMLAudienceRestrictionShouldHaveOneAudienceOnRead)));
            }

            reader.MoveToContent();
            reader.ReadEndElement();
        }
Beispiel #24
0
 /// <summary>
 /// Initializes the object with a UA identity token.
 /// </summary>
 /// <param name="token">The token.</param>
 /// <param name="serializer">The token serializer.</param>
 /// <param name="resolver">The token resolver.</param>
 public UserIdentity(IssuedIdentityToken token, SecurityTokenSerializer serializer, SecurityTokenResolver resolver)
 {
     Initialize(token, serializer, resolver);
 }
Beispiel #25
0
 protected override SecurityToken ReadTokenCore(XmlReader reader, SecurityTokenResolver resolver)
 {
     throw new NotSupportedException();
 }
Beispiel #26
0
        protected override SecurityToken ReadTokenCore(XmlReader reader, SecurityTokenResolver tokenResolver)
        {
            XmlDictionaryReader localReader = XmlDictionaryReader.CreateDictionaryReader(reader);

            throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new XmlException(SR.Format(SR.CannotReadToken, reader.LocalName, reader.NamespaceURI, localReader.GetAttribute(CoreWCF.XD.SecurityJan2004Dictionary.ValueType, null))));
        }
Beispiel #27
0
        public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver)
        {
            if (tokenRequirement == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(tokenRequirement));
            }

            outOfBandTokenResolver = null;
            SecurityTokenAuthenticator result = null;

            InitiatorServiceModelSecurityTokenRequirement initiatorRequirement = tokenRequirement as InitiatorServiceModelSecurityTokenRequirement;

            if (initiatorRequirement != null)
            {
                string tokenType = initiatorRequirement.TokenType;
                if (IsIssuedSecurityTokenRequirement(initiatorRequirement))
                {
                    throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenAuthenticator : GenericXmlSecurityTokenAuthenticator");
                }
                else if (tokenType == SecurityTokenTypes.X509Certificate)
                {
                    if (initiatorRequirement.IsOutOfBandToken)
                    {
                        // when the client side soap security asks for a token authenticator, its for doing
                        // identity checks on the out of band server certificate
                        result = new X509SecurityTokenAuthenticator(X509CertificateValidator.None);
                    }
                    else if (initiatorRequirement.PreferSslCertificateAuthenticator)
                    {
                        result = CreateServerSslX509TokenAuthenticator();
                    }
                    else
                    {
                        result = CreateServerX509TokenAuthenticator();
                    }
                }
                else if (tokenType == SecurityTokenTypes.Rsa)
                {
                    throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenAuthenticator : SecurityTokenTypes.Rsa");
                }
                else if (tokenType == SecurityTokenTypes.Kerberos)
                {
                    throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenAuthenticator : SecurityTokenTypes.Kerberos");
                }
                else if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation ||
                         tokenType == ServiceModelSecurityTokenTypes.MutualSslnego ||
                         tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego ||
                         tokenType == ServiceModelSecurityTokenTypes.Spnego)
                {
                    throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenAuthenticator : GenericXmlSecurityTokenAuthenticator");
                }
            }
            else if ((tokenRequirement is RecipientServiceModelSecurityTokenRequirement) && tokenRequirement.TokenType == SecurityTokenTypes.X509Certificate)
            {
                // uncorrelated duplex case
                result = CreateServerX509TokenAuthenticator();
            }

            if (result == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.Format(SR.SecurityTokenManagerCannotCreateAuthenticatorForRequirement, tokenRequirement)));
            }

            return(result);
        }
Beispiel #28
0
 public abstract SecurityToken ReadTokenCore(XmlDictionaryReader reader, SecurityTokenResolver tokenResolver);
Beispiel #29
0
 protected abstract SecurityToken ReadTokenCore(XmlReader reader, SecurityTokenResolver tokenResolver);
Beispiel #30
0
 public abstract SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver);
 public abstract SecurityTokenAuthenticator CreateTokenAuthenticator(SecurityTokenParameters p, out SecurityTokenResolver resolver);